【问题标题】:How to get rid of Django security vulnerabilities warning signs in terminal如何摆脱终端中的Django安全漏洞警告标志
【发布时间】:2021-03-18 04:53:24
【问题描述】:

我有一个带有 PostgreSQL 后端的简单 Django 项目,但我似乎无法摆脱终端上的 Django 安全漏洞警告标志。

Settings.py:

import os
...
ENVIRONMENT = os.environ.get('ENVIRONMENT', default = 'development')
...
SECRET_KEY = os.environ.get('SECRET_KEY')
DEBUG = int(os.environ.get('DEBUG', default=0))
ALLOWED_HOSTS = ['localhost', '127.0.0.1']
DATABASES = {
'default': {
    'ENGINE': 'django.db.backends.postgresql',
    ...
    'HOST': 'db',
    'PORT': 5432
    }
}
if ENVIRONMENT == 'production':
   SECURE_BROWSER_XSS_FILTER = True
   X_FRAME_OPTIONS = 'DENY'
   SECURE_SSL_REDIRECT = True
   SECURE_HSTS_SECONDS = 3600
   SECURE_HSTS_INCLUDE_SUBDOMAINS = True
   SECURE_HSTS_PRELOAD = True
   SECURE_CONTENT_TYPE_NOSNIFF = True
   SESSION_COOKIE_SECURE = True 
   CSRF_COOKIE_SECURE = True 
   SECURE_REFERRER_POLICY = 'same-origin'

docker-compose.yml:

version: '3.8'

services:
  web:
    build: .
    command: python /code/manage.py runserver 0.0.0.0:8000
    environment:
      - SECRET_KEY="SECRET_KEY"
      - DEBUG=1
      - ENVIRONMENT=development
    volumes:
      - .:/code
    ports:
      - 8000:8000
    depends_on:
      - db
  db:
    image: postgres:12.3
    volumes:
      - postgres_data:/var/lib/postgresql/data/

volumes:
  postgres_data:

docker-compose-prod.yml:

version: '3.8'

services:
  web:
    build: .
    command: python /code/manage.py runserver 0.0.0.0:8000
    environment:
      - SECRET_KEY="SECRET_KEY"
      - DEBUG=0
      - ENVIRONMENT=production
    ports:
      - 8000:8000
    depends_on:
      - db
  db:
    image: postgres:12.3

我在终端上运行的是什么:

sudo docker-compose down
sudo docker-compose -f docker-compose-prod.yml -f docker-compose.yml up -d --build
sudo docker-compose exec web python manage.py check --deploy

运行“sudo docker-compose exec web python manage.py check --deploy”后,我收到以下警告:

WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
  ?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
  ?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
  ?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
  ?: (security.W018) You should not have DEBUG set to True in deployment.
  ?: (security.W022) You have not set the SECURE_REFERRER_POLICY setting. Without this, your site will not send a Referrer-Policy header. You should consider enabling this header to protect user privacy.

我认为由于 settings.py 中的 if 语句,警告会消失。


我也尝试在终端上运行它:

sudo docker-compose down
sudo docker-compose -f docker-compose-prod.yml up -d --build
sudo docker-compose exec web python manage.py check --deploy

但是,我最终得到了一个不同的错误:

django.db.utils.OperationalError: could not translate host name "db" to address: Name or service not known

我不确定我哪里出错了。关于如何让它发挥作用有什么想法吗?任何意见都非常感谢。

已编辑:我使用 Firefox 作为我的网络浏览器。

【问题讨论】:

  • 您是否尝试过为生产和测试创建单独的 .env 文件?
  • 关于你的数据库的第二个错误也很有趣......你可能想发布关于你的 compose 文件和生产设置的更多配置信息

标签: python-3.x django postgresql docker security


【解决方案1】:

首先将此代码粘贴到settings.py 并保存

# security.W018
DEBUG = False

# security.W016
CSRF_COOKIE_SECURE = True

# security.W012
SESSION_COOKIE_SECURE = True

# security.W008
SECURE_SSL_REDIRECT = True

# security.W004
SECURE_HSTS_SECONDS = 31536000 # One year in seconds

# Another security settings
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_CONTENT_TYPE_NOSNIFF = True

# security.W022
# I think it won't be needed. Because there are many ways.

参考:Django check deploy warnings - Knowivate Developers

Django 文档:https://docs.djangoproject.com/en/3.2/ref/checks/#security

如果在此之后还有任何错误,请告诉我。我也会尝试解决这个问题。

如果有任何错误,请告诉我,以便我更正。

【讨论】:

    猜你喜欢
    • 2023-03-06
    • 2018-10-31
    • 1970-01-01
    • 2015-03-22
    • 1970-01-01
    • 2016-10-19
    • 1970-01-01
    • 2011-03-20
    • 1970-01-01
    相关资源
    最近更新 更多